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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (e.g. a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (e.g. sole traders, academics etc.) will be 
published but any personal data will be removed before publication 
(including email addresses and telephone numbers). 


For more information about what we do with personal data please see 
Our privacy notice 


Q1 Is the draft code clear and easy to understand? 


Yes 
x No 


If no please explain why and how we could improve this: 


Although on the whole the code is reasonably clear, we believe that the ability to fully understand the 
content is very much linked to the extent of the readers knowledge and expertise in the technical and 
legal requirements of data privacy legislation. For many organisations, this is of no concern as they 
will have subject matter experts on hand to guide staff through the meaning of processing activities 
however, for SME’s and particularly within the Charity sector, very small charities, we feel they will 
struggle significantly to understand the nuances. 


We understand the need for the ICO to develop and implement a Code which provides practical advice 
and examples however, are concerned that with the new statutory nature of the Code, the mixture of 
legal requirements and best practice requirements comes across as limiting, and restricting the ability 
of organisations who may after careful consideration, informed processes and evidence, determine that 
a different approach is fair and lawful. In particular, we would like to see the Code give much more 
emphasis on organisations being individually accountable for their decision-making process in 
processing personal data for direct marketing purposes. We feel this Code differs from previous 
guidance issued by the ICO which adopts a principles-based approach based on fair and transparent 
processing and are concerned that the more prescriptive nature of the guidance contained in the Code 
as drafted, tells organisations what they can or can’t do rather than guiding them towards determining 
how best to embed GDPR into their direct marketing practice. 


We feel this is particularly prevalent in the following areas: 


e The inclusion of best practice recommendations throughout the document. We feel that with the 
updated statutory nature of this Code, best practice recommendations should be removed so the 
Code can focus on how organisations can be compliant. The discretion and accountability for 
decision-making should be left to the organisation. Where there is more than one legal/valid option, 
we feel the Code should explain these clearly rather than providing an opinion on which option 
organisations should adopt. We believe that the recommendations do not provide clarity, in fact 
they probably do the opposite and would indicate that there is a hierarchy to the lawful bases which 
isn’t correct. In particular, we have significant concerns over the statement quite early on that 
consent should be used for all marketing activity even if the law does not require it. This is a wide- 
sweeping statement that we believe will cause confusion particularly in the charity sector. We 
believe it takes away the accountability for individual organisations and may mean people think 
about consent as a tick box compliance exercise rather than them taking responsibility for ensuring 
they use the lawful basis which is most appropriate for their supporters or beneficiaries. 


e There are a number of places throughout the Code which make assumptions about what members 
of the public understand or expect. We are concerned that these assumptions may not be wholly 
representative of all individuals and although we appreciate everyone has the same privacy rights, 
we are very aware that not everyone has the same expectations or preferences. We would like to 
see the Code place more importance on organisations understanding the expectations of their 
customers, donors, supporters etc. and being able to use this to determine and judge what is fair or 
expected. This might be done by the Code providing some guidance or check lists on what 
organisations can do to help them make decisions which treat individuals fairly and best meet 
expectations. 


e We appreciate and are grateful for the level of practical examples contained within the Code and 
that many of these will help the Charity sector. However, we do note that many appear to focus on 
practices that aren’t considered acceptable practice and we feel there would be huge added value 
in these examples being complemented by further information or guidance on how the same activity 
could be done fairly and lawfully. Without that, there is a risk that individual organisations will 
believe it’s the activity which is unlawful as opposed to the way in which it was undertaken. 
Alternatively, perhaps some of the examples could be positive examples of how a specific practice 
could be lawful and fair. 


Finally, we would ask that thought is given to the glossary of terms at the end with a view to more 
extensively populating the contents. There are a number of technical abbreviations and descriptions 
that are not adequately defined. We would also question whether this should be at the beginning of 
the document as it quite quickly goes into using abbreviations that some less experienced 
professionals may not fully appreciate. Alternatively, perhaps the first use of the abbreviation should 
only follow the full description. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


x Yes 
No 


If no please explain what changes or improvements you would like to 


On the whole, we feel that the code covers a good level of detail — it is certainly a comprehensive 
document and we wouldn't wish to see it any longer. It is good to see the Code covering more modern 
examples of marketing activity and attempting to address some of the technological advancements 
since it was last drafted. Having said that, we feel that there could be improvements in the consistency 
between the content of this Code and other guidance already available in areas such as fair processing 
notices, retention etc. In addition, and in line with concerns detailed above, we would also like to see 
more focus placed on allowing organisations to take ownership of accountability and judgement in the 
principle-based nature of data protection and marketing practices. Overall, we understand this may 
mean a slightly less detailed piece of guidance in some areas but feel strongly that organisations should 
be given the tools to make the decisions right for them and as currently drafted are concerned that some 
organisations will not consider this fully and instead will just apply best practice recommendations 
irrespective of whether this is right for their audience. 


We would also raise a comment about the social media section. This is a welcome addition to the 
guidance but we have concerns that the approach taken in this regard is too broad and assumes all 
social media and social media platforms have the same uses, terms and conditions, audiences etc. 
Whilst we appreciate it is not necessarily appropriate or possible for the guidance to be platform 
specific, we do feel it should include more reference to or examples of what to consider when using 
different platforms that would help organisations inform their internal practices on a more personal level. 
It would also be good to see some guidance and advice for organisations that are struggling to develop 
relationships with the social media platforms in relation to the shared legal responsibilities that the Code 
quite rightly sets out. Practically, many large platforms adopt a take it or leave it approach to their terms 
of business which can leave some organisations with a compliance dilemma or in a position where they 
do not have the same level of influence to ensure a fair and truly joint relationship. 


see? 


Q3 Does the draft code cover the right issues about direct marketing? 


x Yes 
No 


If no please outline what additional areas you would like to see 
covered: 


Overall, the code covers many issues regarding direct marketing and it has adopted an incredibly 
broad definition of direct marketing purposes. 


As mentioned elsewhere in our submission, we feel there is a need to review this guidance against 
other advice provided and perhaps this requires some thought as to how to include enough detail that 
other guidance notes are not duplicated without implying that the method set out in this guidance is the 
only option available to organisations. 


As organisations look for new and innovative ways to market their products, services and organisations 
to their existing and future customers it is important this guidance can keep up and is reviewed 
regularly. If the focus of the document can be put on organisations being given the tools to make 
informed decisions and to take ownership of their accountability, this should help future proof the 
document. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


x Yes 
No 


If no please outline what additional areas you would like to see covered 


The areas of interest to us in marketing, as a charity, are covered within this document. However, 
there are some specific areas where we have thoughts, comments or where the Code as written has 
created questions about interpretation and meaning. These are summarised below: 


Profiling — profiling itself is a term used for a wide-range of activities. This might go from deciding 
which people to send a marketing campaign to, to attempting to find new audiences, or undertaking 
research of who may be able to provide a large donation to the Charity for a specific project. 
Although we understand and appreciate some aspects of profiling can be intrusive, many are there 
to protect or help the individuals and ensure they do not receive inappropriate or too much 
marketing material. The guidance doesn’t necessarily give enough weight to the variation of 
profiling activities and it is important this is distinguished much more clearly. We would like to see 
the organisation being guided in how it can use its discretion and common sense to ensure profiling 
activity is lawful and fair under a range of circumstances rather than a blanket implication that 
profiling without consent is “unlikely to be fair”. 


Service messages — as a Charity, service messages tend to take on a slightly different 
interpretation to many commercial organisations. There are some messages which are clearly 
administrative and others where we consider them to be stewarding those who have a relationship 
with our organisation, such as thank you letters. It feels inappropriate for us to have to ask for 
permission/consent to send someone a letter thanking them for their donation because in 
explaining what difference the donation has made this has become a piece of marketing. We 
wonder whether this is an inadvertent interpretation based on the guidance and whether there is 
scope for clarifying the ability for organisations to have independent judgement on the point at 
which promoting our aims truly becomes marketing. 


Viral marketing / refer a friend — we note with interest the section on refer a friend/viral marketing 
and the need to have consent from all parties concerned for any electronic marketing to be 
compliant. Similar to service messages, this may have an indirect impact on the charity sector in, 
for example, event participation. Would the regulators consider that if a charity asked people to 
sign up to a challenge event and invite their friends this would then fall within a “tell a friend” 
campaign? Similarly if a volunteer committee member reaches out to friends and families in relation 
to the purpose for the committee, does that also count as refer a friend marketing? 


We note that the Code refers to the European Data Protection Board and references financial 
penalties in €. We would assume that an exercise will take place to review this and ensure it 
remains relevant in light of the UK’s exit from the EU prior to final publication. 


There are some location-based direct marketing tools that we are required to use, for example in 
excluding certain areas for raffle advertisements. There is some confusion around how these 
requirements fit with the location-based section on page 96. 


We have concern about the reference to needing a pre-existing relationship with an individual to 
send them marketing by post which, where organisations choose to use legitimate interests for 
postal marketing, would not be required. Greater clarity around this would be useful to avoid any 
misunderstanding or misinterpretation. This is referenced on page 36 and later on page 66. 


Q5 Isit easy to find information in the draft code? 


x Yes 
No 


If no, please provide your suggestions on how the structure could be 
improved: 


Overall, for such a large document, it is relatively easy to navigate although we do have some 
comments around the structure and layout which we believe would help to improve some areas and 
these are summarised below: 


e Although we appreciate the purpose behind having the summaries at the beginning of the 
document, we have some concern that they could be easily taken out of context resulting in a less 
personal approach by organisations to their practices. 

e There are a lot of abbreviations, not all of which are fully defined for the first use and the glossary 
doesn’t always include all terms e.g. direct marketing is not defined in the glossary. In addition, the 
glossary is inconsistent including TPS but not MPS. 

e We would like to see expanded use of “at a glance” sections perhaps incorporating checklists that 
can help organisations cover off the basics. 

e We suggest changing the ticks and crosses in the table across pages 30-31 to ‘Yes’ or ‘No’ values. 
We feel the ‘Live’ phone calls line is particularly confusing as is currently written. 

e We would like to see more prominence on the restrictions to the use of soft opt-in referenced on 
page 76. 

e There are some areas where we feel the descriptions are confusing e.g. final paragraph on page 
17. We would welcome a more succinct/straightforward way of presenting this information. 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


x Yes 
No 


If yes, please provide your direct marketing examples : 


We believe that more focus should be had on positive practical examples or on explaining why the 
example is considered poor practice. This will help organisations to understand that sometimes it is 
the way a practice is undertaken which makes it unfair or unlawful, not the practice itself. Previous 
guidance issued by the regulator used to provide good and bad examples, this was always really 
useful to help inform the distinction of principle-based legislation. 


More examples of behavioral advertising or social media marketing would be very much appreciated. 


Further, we would like to see examples of how an organisation can ensure its consent asks are 
granular and specific whilst being concise and easy to understand. Quite often these requirements 
contradict each other and to understand how the regulator believes it is possible to achieve both 
simultaneously would be very much appreciated. 


Q7 Do you have any other suggestions for the direct marketing code? 


We would raise the below comments and thoughts having read the draft of the revised Code in depth. 
These may be points where we believe further clarity would be of use or questions about the potential 
interpretation of the content and examples as drafted. 


In the summary, ‘Profiling and data enrichment’ section, the code discusses non-personal data 
assumptions becoming personal data. In this regard, the context in relation to the point at which it 
becomes personal data is a little unclear and perhaps clarification would be useful or an example 
to validate the statement? We would assume that this would be the point at which the “non- 
personal data assumptions” are actually attached to or associated with a specific individual. 


In the same section, there is reference to buying additional content for existing customers or 
supporters and the justification for tracing individuals. As mentioned previously, the summary 
doesn’t give any context to these statements (although this comes later in the document) and may 
well imply if not followed through to the detailed sections that these practices are always unfair or 
unlawful. However, we would assume that the intention is not to prevent services such as Royal 
Mail Redirection from continuing (which currently works on permissions managed by Royal Mail 
and, last time checked, was an opt-out) or registers such as the bereavement registers, which 
many organisations choose to run their data against to ensure communications are not sent to 
those who have recently passed away thus causing distress to family and relatives. 


We read with interest your example on page 27 relating to a supermarket marketing its customers 
about its decision to support a charity. It would be interesting to understand whether the 
suggested best practice requirement to screen against the Charity’s suppression list is something 
which would apply where the marketing is instigated solely by the supermarket or whether it 
makes a difference if it’s a jointly instigated marketing activity? We would foresee information 
sharing challenges with the practical implementation of running another organisations customer 
lists against our suppression list. 


There are many references throughout the draft Code to the Article 13 and 14 requirements for fair 
processing notice information, including page 33 in relation to how consent applies to direct 
marketing. In isolation, we would question whether this needs to more closely mirror/reference the 
previously released guidance from the ICO on Fair Processing Notices and the ability to use 
layering in the delivery of the information. The current drafting could be considered contradictory 
and require all information to be given immediately which would result in substantial, long and 
complex statements appearing on all information unnecessarily. Similarly, we note your advice 
that the example provided on page 50 is considered too vague. It would be useful to understand 
what might resolve this as part of the example. 


There appears to be an error near the bottom of page 40, an additional ‘t’ part way through a 
sentence that can be removed. There are also some grammar errors on page 4 (e.g. it should be 
“additional” not “addition”), and an unnecessary capital ‘B’ used in “because” in the example on 
page 62. Page 56 ‘At a glance’ in the second paragraph should read “...to profile people on the 
use of their special categories...), and on page 68 it states ‘CPTS’ instead of ‘CTPS’. 


Under the ‘Can we use data cleansing and tracing services’ section on page 62, the Code 
advises that PECR confirms consent is non-transferable. We appreciate this paragraph is 
drafted in specific relation to the use of data cleansing or data tracing services however, there 
is a risk that this also implies that if an individual advises an organisation of a change in their 
details such as a new email address or telephone number, any previously obtained consent 
relating to that channel is no longer valid and the individual must be re-permissioned. This 
feels overly burdensome, and we’d seek some context or assurances that this relates solely to 
purchased/traced information. 


We believe the top two paragraphs on page 83 could be misunderstood. We assume these 
relate to joint data controller relationships or arrangements which were previously understood to 
be “data controllers in common” and are not intended to suggest that where the data processor 
sends the marketing as part of a contractual arrangement with a data controller, the data 
processor requires separate and specific valid consent to send the marketing for its 
organisation. 


There are a number of terms within the document which we appreciate are taken from general 
data protection terminology however believe organisations would benefit from some guidance 
or checks/balances on how to interpret what this means for them. This includes words such as 
“unlikely”, “reasonable” and “intrusive”. In addition, further guidance to enable us to interpret 
terms such as “large-scale”, “anti-social” and “frequent redialing” would be useful. 

The definition of ‘profiling’ in the glossary specifically refers to “automated” processing but there 
is no definition or quantification of “automated”. Not all profiling activity is solely automated, 
some will be completely manual, some will have degrees of automation within them e.g. a 
person configures a computer to run a report regularly. Currently there is a need for 
organisations to pragmatically apply the regulations to activity which is profiling but which 
happens manually or in a non-automated fashion. We believe there would be benefit in 
revisiting this to assist organisations in applying the recommendations and legislative 
requirements appropriately across all profiling activity. 


With regard to the section ‘What do we do if someone objects to our direct marketing’, and 
specifically with reference to making individuals aware of their rights to object to processing for 
direct marketing purposes, we would ask whether including this information within a privacy 
policy is considered “separately from other matters”? 


We would recommend adding the Fundraising Preference Service (FPS) to the suppression 
services listed on page 111. 


Under the ‘What do we need to tell people if we collect their data from other sources’ it notes 
that we need to provide the source of the data. While we agree with this principle, in practice 
this will be hard to do as part of the Fair Processing Notice we already use. As the source may 
vary, we would suggest it is acceptable to provide the specifics on request, or as part of a 
second tier/layer within the privacy information. 


We would suggest either adding to the table on page 79, or inserting an additional table, to 
cover whether GDPR applies, as well as PECR to show the interaction between the two pieces 
of legislation more clearly. 


About you 


Q8 Are you answering as: 


CL] An individual acting in a private capacity (e.g. 
someone providing their views as a member of the 
public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Great Ormond Street Hospital Children’s Charity 


If other please specify: 


Q9 How did you find out about this survey? 


ICO Twitter account 


ICO LinkedIn account 
ICO website 

X ICO newsletter 

ICO staff member 
Colleague 


go 
L] ICO Facebook account 
g 
X 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


o EESE 


Thank you for taking the time to complete the survey 


